Networking Flashcards
Security groups are attached to?
Elastic Network Interfaces (ENI) - and not instances
How do you explicitly block traffic within a VPC?
With NACLs. Security Groups do NOT support this.
Which protocol and port operates BGP on?
TCP/179
What is number range for ASN within BGP?
0-65535
Which ASN numbers within BGP are private?
64512-65534
What’s iBGP?
Internal BGP - Routing within an Autonomous System (AS)
What’s eBGP?
External BGP - Routing between Autonomous Systems (AS)
What are the “anycast IP addresses” of AWS Global Accelerator?
Two static IP addresses that serve as fixed entry point to an application hosted in one or more AWS region.
What’s the max. bandwidth of a single VPN connection (with two tunnels)?
1.25 Gbps
What’s the max. bandwidth of a Virtual Private Gateway?
For VPN connections: 1.25 Gbps
For DX connections: same as the DX connection
What are valid attachments for AWS Transit Gateway (TGW)?
One, or more, of the following:
- VPC
- VPN
- Direct Connect Gateway
- Transit Gateway Peering
- Transit Gateway Connect
Do AWS Transit Gateway (TGW) support transitive routing?
Yes, if route tables are set up correctly
What are key features of AWS Transit Gateway (TGW)?
Transitive routing, cross region (via peering) and cross account support.
IMPORTANT: they are regional components, so have to be placed in a specific region and be peered to provide cross-region support. This also means that they fail if a complete region fails.
Up to how many route tables can a subnet have assigned?
1 (and always 1 as a subnet must always have a route table assigned)
What network elements can route tables be assigned to?
- VPCs
- Subnets
- Gateways (IGW, VGW, TGW, Outposts local gateway)
What are the default limits of a route table?
50 static and 100 dynamic routes
What’s route propagation in the context of AWS VPC’s Route Tables, and what is the maximum number of connections in this context?
An option of route tables that allows Virtual Private Gateways (VGW) to dynamically add routes that the VGW learns from an attached VPN connection to it’s associated route table. The maximum number of dynamic routes that can be added via this way is 100 (per route table).
What are the criteria that a route table decides on where to route traffic to (starting with most relevant criteria)?
- Prefix length
- Static Routes
- Dynamic Routes (and inside Dynamic Routes: DX > VPN Static > VPN BGP > AS_PATH)
What’s a Gateway route table?
A special type of route table that can be assigned to Internet Gateways (IGW), Virtual Private Gateways (VGW) and Transit Gateways (TGW).
With which network component can you use Accelerated Site-To-Site VPN with?
Only with AWS Transit Gateways (TGW), so when creating a TGW VPN attachment.
What costs are associated with using an Accelerated Site-To-Site VPN?
What are costs for AWS Site-to-Site VPN connections based on?
- hours the VPN connection is provisioned ($/h)
- egress fee ($/GB)
- hourly fee for the two Global Accelerators
- accelerator transfer fee for the dominant direction
What are the two possible attachments for a Site-To-Site VPN?
- Transit Gateway (TGW)
- Virtual Private Gateway (VGW)
What are the bandwidths available for Direct Connect (DX) when provided natively by AWS (so called “Dedicated Connection”)?
1, 10 and 100 Gbps (the latter only at selected locations)
What’s a hosted virtual interface (VIF)?
It’s a virtual interface type that can be used to share a AWS Direct Connect connection with another AWS account.
What’s the maximum number of VIFs per AWS Direct Connect (DX) connection?
50 private/public VIFs + 1 transit VIF
What’s a Hosted Connection in the context of AWS Direct Connect (DX)?
It’s a DX connection provided by a AWS Partner that provides exactly one hosted VIF that a customer can acquire. Bandwidth of that VIF is exclusive to the customer.
What are the bandwidths available for AWS Direct Connect (DX) when provided by an AWS Partner?
50Mbps - 10Gbps
What’s important to know about Hosted VIFs when provided by an AWS Partner?
Unlike Hosted Connections, Hosted VIFs provided by an AWS Partner share the bandwidth with other Hosted VIFs on that same connection. Therefore, bandwidth could be lower than what’s been ordered/promised.
Are AWS Direct Connect (DX) connections sending data in plain text or encrypted?
In plain text, unless additional technologies such as VPN are applied.
What’s a Cross-Connect in the context of AWS Direct Connect (DX)?
The physical link between AWS DX router and Customer/Provider DX router inside a DX location. Note: this is NOT the physical connection between DX location and on-premise location.
Can Link Aggregation Groups (LAGs) use connections of different speeds?
No. All connections must have the same speed.
What’s the primary purpose of Link Aggregation Groups (LAGs)?
Speed. And NOT resilience (even though that they do improve certain resilience aspects of the architecture).
What’s the ‘minimumLink’ attribute used for within the context of Link Aggregation Groups (LAGs)?
It defines the minimum of healthy connections, at which the LAG is still considered healthy. For instance, with a LAG of 4 DX connections and a minimumLink of, the LAG is still healthy with only 2 DX connections.
What’s the maximum number of Virtual Private Gateways (VGW) per DX Gateway and can it be increased?
10
Cannot be increased
https://docs.aws.amazon.com/directconnect/latest/UserGuide/limits.html
Do Virtual Private Gateways (VGWs) support inter-VPC-routing?
No
What’s the maximum number of DX Gateways supported per DX Connection?
50
What are valid targets for an Application Load Balancer?
Target groups operating on HTTP/HTTPS level, using the following target types:
- EC2 instances (incl. ECS-provided instances)
- IP addresses
- Lambda functions
Can an internet-facing ELB communicate with EC2 instances from private or public subnets, or both?
Both (so also instances in private subnets are accessible for the ELB)
What’s an Interface Endpoint attached to?
A specific subnet, as an ENI (so they are not highly available by default!)
What’s a Gateway Endpoint attached to?
A VPC
What protocols do Interface Endpoints support?
IPv4 traffic over TCP only
How can you restrict access to an Interface Endpoint?
Via Endpoint Policy and via Security Groups (as it’s an ENI)
What’s the maximum single-flow network performance EC2 instances can communicate with each other in a Cluster Placement Group?
10 Gbps (vs. the 5 Gbps you’d have normally)
What are limitations (i.e. things to look out for) when creating Cluster Placement Groups?
- All EC2 instances must reside in the same AZ
- Requires a supported instance type
- All instances should be of the same type and started at the same time
What’s the maximum number of instances in a single AZ when using Spread Placement Groups?
7
What tenant options can you use for Spread Placement Groups?
Shared only. “Dedicated Instance” or “Dedicated Host” are not supported with Spread Placement Groups.
What’s the maximum number of partitions in a single AZ when using Partition Placement Groups?
7
What’s the maximum number of instances in a single AZ when using Partition Placement Groups?
There is no explicit limit. Instead the same limit applies as when not using any Placement Group at all (so just limited by the max. number of currently free instances in that AZ),
For which type of workloads are Partition Placement Groups ideal?
Large, distributed and replicated workloads, such as Apache’s HDFS (file system), HBase, and Cassandra (both NoSQL DBs). Ideally, topology-aware workloads/applications.
What’s the largest CIDR range allowed in a VPC?
/16
Are NAT Gateways deployed into a VPC, or into the subnet of a VPC? Are they highly available?
Into PUBLIC subnet(s), so they are not resilient to AZ-failures. They are however highly-available inside an AZ, which makes them more reliable than NAT Instances.
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-comparison.html
802.1Q is a networking standard used for what?
Virtual LANs (VLANs) - used often in company networks, but also in AWS, to isolate networks
802.1AD is a networking standard used for what?
Nested QinQ VLANs - used often by service providers, extending the VLAN standard (802.1Q)
For an Ethernet frame, what’s the payload size in bytes from which on a frame is considered a “jumbo” frame, and what’s the max. size of a jumbo frame’s payload?
> 1500 bytes
Max.: 9000 bytes
Which of the following does/does not support jumbo frames?
1) Traffic outside of a single VPC
2) Traffic over an inter-region VPC peering connection
3) .. same region peering
4) Traffic over VPN connections
5) Traffic over an internet gateway
6) Direct Connect
7) Transit Gateway
1) no
2) no
3) yes
4) no
5) no
6) yes
7) yes, up to 8500 bytes
What’s IKE Phase 1 used for in the context of IPSec VPN?
Initial phase of an IPSec VPN connection where symmetric keys are exchanged via an asymmetric encryption - results in a “phase 1 tunnel” that stays open
What’s IKE Phase 2 used for in the context of IPSec VPN?
Second phase of an IPSec VPN connection where parties agree on an encryption method and a new set of keys that’s used for the bulk data transfer - results in a “phase 2” tunnel that is used for the actual data transfer - phase 2 tunnel is torn down again when no more “interesting traffic” occurs
When having a Client VPN set up, what do you need to do to avoid that traffic between local clients, and from local clients to the internet, aren’t routed via the Client VPN Endpoint?
You must enable a “Split Tunnel” on the Client VPN endpoint, so that the Client VPN routes are merely added to the existing ones, rather than replacing them.
What’s the difference between Private and Public VIFs?
Private VIFs connect to private AWS resources such as a Virtual Private Gateway. Public VIFs connect to public AWS resources such as S3 or SQS, or resources with a public IP addressing.
What’s the physical medium that Direct Connect runs over?
Fiber (no copper!)
What’s the Ethernet standard required for a transceiver to support a 1 Gbp/s Direct Connect connection?
1000BASE-LX
What’s the Ethernet standard required for a transceiver to support a 10 Gbp/s Direct Connect connection?
10GBASE-LR
What’s the Ethernet standard required for a transceiver to support a 100 Gbp/s Direct Connect connection?
100GBASE-LR4
What do you need to configure regarding the following attributes on Direct Connect ports to ensure proper function?
- Auto-Negotiation
- Port speed
- Full-Duplex
- Auto-Negotiation: disabled
- Port speed: manually set
- Full-Duplex: manually set
What’s MACSec and what problem does it solve in the context of Direct Connect?
It’s an ethernet standard that enables encryption of frames between two switches/routers, specifically with AWS Direct Connect, encryption between on-prem router and DX Location AWS cage router.
The two problems/benefits it has are:
- Layer 2/3 Confidentiality and integrity: secures Ethernet link, incl. Layer 2 packages such as ARP & DHCP, and Layer 3 routing protocols like BGP
- High speed encryption: enables encryption with 10/100 Gbps DX, which would otherwise be difficult to achieve (would require multiple VPN tunnels).
What’s a Letter of Authorization Customer Facility Access (LOA-CFA) form used for?
It’s a document used to authorize a cross-connect connection between an AWS-cage and the customer or com-provider cage at a Direct Connect location.
What’s a VIF referring to in the context of AWS?
Virtual Interface
Allows running multiple layer 3 sessions over the same layer 2 connection. Consists of a BGP Peering session + VLAN.
What’s transit VIF referring to in the context of AWS?
Allow integration between Transit Gateways and Direct Connect.
What’s Layer 2 Adjacency?
Two network devices that can directly communicate with each other on layer 2, i.e. exchanging frames.
What’s BGP peering?
Used to exchange network information between two BGP systems.
What’s MTU and in which context is it used?
Maximum transmission unit = size of the largest protocol data unit (PDU) that can be communicated in a single network layer transaction.
Relates to, but is not identical to maximum frame size of an Ethernet frame. As with Ethernet frame sizes, an MTU larger than 1500 is typically referred to as “Jumbo Frames”.
What AWS network components can you associate a private VIF with?
- Virtual Private Gateway (VGW)
- Direct Connect Gateway
NOT: Transit Gateways (that’s what “transit VIFs” are for)
What’s the maximum number of prefixes that can be advertised via private VIFs?
100 (hard limit)
Note: if advertising more, the interface will move into an Idle state and won’t be functional.
What is an important consideration regarding cross-region functionality when using private VIFs with Virtual Private Gateways?
Private VIFs can only connect to VPGs in the same region as the DX location
When establishing a IPSec VPN connection, do you have to use a private or public VIF?
Public VIF (as the VGW IPs that the connection is established with on the AWS side are public)
What’s the maximum number of VPCs you can attach via a single Direct Connect connection using private VIFs and Direct Connect Gateways (when not using any other network component such as Transit Gateways)?
1 Private VIF = 1 DX Gateway & 10 VGW per DX Gateway
1 DX can have 50 private VIFs == 50 DX Gateways == 500 VPCs
When using Direct Connect (DX) Gateway, can VPCs that are attached to the DX Gateway communicate with each other?
No, not by default. This requires either additional networking components such as Transit Gateway, or routing via the Customer Gateway Router (which is not ideal due to performance and resilience reasons).
How many Transit Gateways can be attached to a single Direct Connect connection?
3 (1 transit VIF per DX connection and 3 TGW per transit VIF)
Can you associate a Direct Connect Gateway with private VIFs, public VIFs or transit VIFs at the same time?
No. Public VIFs cannot be used with Direct Connect Gateways anyway. And you cannot use a Direct Connect Gateway with private and transit VIFs at the same time.
How many physical connections can be aggregated per Link Aggregation Group (LAG) with Direct Connect?
2 x 100 Gbps
- or -
4 x < 100 Gbps (10 Gbps, 1 Gbps, etc.)
==> Max: 200 Gbps
Do Link Aggregation Groups (LAG) provide improved resilience?
Yes, but very limited, so it should not considered for improving resilience. They key advantage is improved performance (with the caveat of admin overhead though).
What’s “Connection Draining” and by which AWS resource/service is it used?
It’s a mechanism of the Classic Load Balancer that allows in-flight requests to complete even if the target instance is unhealthy or in the process of being deregistered.
The equivalent mechanism for ALB, NLB and GWLB is called “Deregistration Delay”, that is configured on the Target Group level though, not on the LB itself.
What’s “Deregistration Delay” and by which AWS resource/service is it used?
Allows Application Load Balancers (ALBs), Network Load Balancers (NLBs) and Gateway Load Balancers (GWLBs) to complete in-flight requests even if the target instance is unhealthy or in the process of being deregistered.
The equivalent mechanism for ALB, NLB and GWLB is called “Connection Draining”, that is configured directly on the Load Balancer though, and not via the Target Group.
What’s the X-Forwarded-For header being used for in the context of AWS Load Balancing?
It’s an HTTP header, used by Classic Load Balancers and Application Load Balancers to ensure that the target is able to identify where a request originated from.
What’s the Layer 4 equivalent of an X-Forwarded-For header and in which scenario is it necessary to use it even for HTTP/HTTPS?
PROXY Protocol, which is a layer 4 header, supported by Classic Load Balancer and Network Load Balancer. If an unbroken HTTP/HTTPS connection is required, PROXY Protocol has to be used instead of X-Forwarded-For. That’s because adding the X-Forwarded-For header is layer 7 and is possible only by unencrypting the packages, adding the header, and re-encrypting it.
What’s the GENEVE protocol and by which AWS service/product is it being used?
It’s a network encapsulation protocol used by AWS Gateway Load Balancers.
Do VPC Flow Logs capture packet contents, package metadata, or both?
Only package metadata
To which three elements can VPC Flow Logs be applied?
VPC, Subnet, Interface (ENI)
Can you use VPC Flow Logs for real-time analysis of network traffic?
No, as data is not collected and served in real-time.
What’s the sequence for Source & Destination Address, Source & Destination Port numbers, and Protocol in VPC Flow Logs?
Example: 2 123456789010 eni-1235b8ca123456789 172.31.16.139 172.31.16.21 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK
- Source Address: 172.31.16.139
- Destination Address: 172.31.16.21
- Source Port: 20641
- Destination Port: 22
- Protocol: 6 (=> TCP)
What traffic is explicitly ignored by VPC Flow Logs?
- instance metadata service (169.254.169.254)
- DHCP
- Amazon DNS server
- Amazon Windows license server
For which AWS services does AWS Shield Standard provide protection against Layer 3 and Layer 4 DDoS Attacks?
- Route 53
- CloudFront
For which AWS services does AWS Shield Advanced provide protection against Layer 3 and Layer 4 DDoS Attacks?
- EC2
- Elastic Load Balancing (ELB)
- Global Accelerator
This is in addition to the following services, which are already covered by AWS Shield Standard:
- CloudFront
- Route 53
What are benefits provided by AWS Shield Advanced as compared to AWS Shield Standard?
- Layer 3 and 4 DDoS protection for additional services
- Layer 7 protections (HTTP and DNS floods)
- DDoS Response Team
- Financial Insurance (if resources scale up due to Shield response)
What AWS services does Web Application Firewall (WAF) integrate with?
- Application Load Balancer
- API Gateway
- CloudFront
- AppSync
What are common attacks that Web Application Firewall (WAF) protects from?
SQL Injections, Cross-Site Scripting
What are valid targets for Network Load Balancer?
Target groups operating on TCP/TLS/UDP level, using the following target types:
- EC2 instances
- IP addresses
- Application Load Balancer
What’s the minimum number of subnets required to create an Elastic Load Balancer?
2
What’s a Transit Gateway (TGW) Connect attachment?
An attachment for Transit Gateway that establishes a connection from the TGW to a third-party virtual appliance (such as SD-WAN appliances).
What’s EBS-optimized?
A feature that’s available for selected EC2 instance types, delivering dedicated throughput between EC2 and EBS with options between 500 and 4,000 Mbps.
What are the two types available for “Enhanced networking” in EC2 and what speeds do they provide?
- Elastic Network Adapter (ENA) - up to 100 Gbps
- Intel 82599 Virtual Function (VF) interface - up to 10 Gbps
What problem does a Direct Connect (DX) Gateway solve?
Before DX Gateways, DX connections could only established if the DX location and the target Virtual Private Gateway (VPG), along with the attached VPC, were in the same region. DX Gateway instead is a global service and can serve as a hub between DX location and VPGs, so that one DX connection can connect to VPCs in any region.
For maximizing network performance between EC2 instances, what are valid options?
- Launch instances in Cluster Placement groups
- Use bigger instance types
- Enable Enhanced Networking
- Enable jumbo frames
Attaching multiple ENIs can also improve network performance, but depending on the instance type, may not bring anything at all. This is why the options above should be preferred.
Can you associate a NACL with a VPC, subnet, or both?
Both
VPCs come with a default NACL, which is also the NACL that a subnet inside that VPC uses, if no other NACL is assigned to the subnet.
What are the two IPv4 address that Amazon’s DNS server is reachable under for a VPC with the CIDR 172.31.0.0/16?
- 254.169.253
172. 31.0.2 (VPC base address +2)
What is the Amazon DNS server IPv4 address for an instance launched in a subnet with CIDR 172.31.80.0/20, that is part of a VPC with CIDR 172.31.0.0/16?
172.31.0.2 (VPC base address +2)
Note: alternatively, 169.254.169.253 works as well, but here it’s the VPC-based Amazon DNS server IPv4 address that we’re looking for.
When launching an EC2 instance in a non-default VPC, what options are required so that it can receive a public IPv4 address?
Two available options:
A) The subnet that the instance is launched in must have the “Auto-assign public IPv4 address” set to true.
B) When configuring the instance’s configuration details during the launch, the “Auto-assign Public IP” option is enabled.
Note: to actually receive the IP, the subnet must also be connected to an IGW.
On which level do you enable Sticky Sessions - Load Balancer or Target Group?
Depends on the Load Balancer type:
- for Classic Load Balancer: on the LB-level
- for other Load Balancers: on the TG-level
What’s a “Target Group” used for in EC2?
Used in conjunction with Load Balancers. Defines the targets to which the Load Balancer sends traffic to, which can be any of the following:
- Instances
- IP addresses
- Lambda function
- Application Load Balancer
Note: depending on the protocol used by the Target Group, the Target Group is visible when creating a Load Balancer or not. NLB for instance can use only Target Groups where the protocol is TCP/TLS/UDP.
When setting up a VPN, for which VPN type (static or dynamic) do you need to provide a CIDR range?
For static VPNs
To which VPC component are Internet Gateways (IGWs) attached to and how does this relate to High-Availability?
They’re attached directly to the VPC (and not to the subnet for instance). It’s a highly available component that is redundant across AZs, so failure of one or more AZs would not impact the IGW.
To which VPC component are NAT Gateways (NGWs) attached to and how does this relate to High-Availability?
Like NAT Instances, NAT Gateways are created inside a single subnet. If the AZ that the subnet resides in fails, the NAT Gateway won’t be available anymore. To ensure High-Availability, multiple NAT Gateways are therefore required, spread across different AZs, with routes being set up from the different subnets across those multiple NAT Gateways.
What is correct regarding the following on VPC Gateway Endpoints?
- AZ failure resilience
- Prefix Lists vs DNS
- Can be used without application changes
- They’re resilient to AZ failure
- They use Prefix Lists
- They can be used without any application changes
What is correct regarding the following on VPC Interface Endpoints?
- AZ failure resilience
- Prefix Lists vs DNS
- Can be used without application changes
- They’re NOT resilient to AZ failure by default, but can be made to by placing multiple interface endpoints into different AZs
- They use DNS
- They can be used without any application changes, but only if Private DNS is enabled
Can you access VPC Interface Endpoints from outside of a VPC? If so, how?
Yes, via AWS Site-to-Site VPN or AWS Direct Connect
How many VGWs can you attach to a single VPC at a time?
1
What are ENI, ENA and EFA and how do they differ from each other in terms of network speed, IO performance, latency, CPU and the ideal use case?
ENI (Elastic Network Interface) is the default network adapter (Elastic Network Interface) for any EC2 instance and other VPC components such as PrivateLink, providing up to 10 Gbp/s, suited for general purposes.
ENA (Elastic Network Adapter) is an enhanced networking option using single root I/O virtualization (SR-IOV). It provides higher network speed and I/O performance, lower CPU utilization and lower (and consistent) latencies. Available only on supported instance types, enabled by default on Nitro instances. Note: an alternative to ENA is “Intel 82599 VF interface”, which is considerably slower though, but using the same technique (SR-IOV).
EFA (Elastic Fabric Adapter) is ENA with added capabilities. It further improves network speed, I/O performance and latencies. Behind the scenes, EFA uses OS-bypass capabilities, which makes it ideal for High Performance Computing (HPC) and machine learning applications.
https: //docs.aws.amazon.com/vpc/latest/userguide/VPC_ElasticNetworkInterfaces.html
https: //docs.aws.amazon.com/AWSEC2/latest/UserGuide/efa.html
https: //docs.aws.amazon.com/AWSEC2/latest/UserGuide/enhanced-networking.html
https: //docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/enhanced-networking.html
